TA Certificate Import

Huawei issues TA certificates for TA developers. For details, see TA Certificate Management. When the TEE is deployed on an ISV or customer's privacy computing platform, TA deployment may be dynamic and sometimes dynamic TA compilation is required. The existing offline issuance process of TA developer certificates does not meet the requirements. Therefore, a root or level-2 TA certificate must be provided for ISVs or customers to deploy their own PKI system and dynamically sign TAs.

Huawei provides a tool for ISVs' or customers' platform administrators to import their own certificates to the Kunpeng TEE.

1. The ISV deploys their own CA system, which issues certificates to TAs used by the ISV's computing platform.
2. The TA building and packaging process is the same as that described in TA Certificate Management. Because you do not need to apply for a TA certificate from Huawei, you can also customize the TA building and packaging process. TA certificate application and TA binary build can be automatically completed (ensure that the used private key is secure).
3. The Kunpeng confidential computing solution provides a certificate import tool, which is provided in the form of source code. The ISV's computing platform needs to preset the root TA certificate and generate a new dedicated certificate tool.
4. The TA needs to obtain the original root (that is, Huawei's signature) and must be securely kept by the ISV. After the ISV imports the level-2 TA certificate, the TEE OS uses the certificate to verify the TA.
5. TEE OS 1.3.0 and later versions support the import of TA developer certificate revocation lists (CRLs), including CRLs issued by Huawei or by customers' PKI systems.
   

   • The certificate deployment function requires a high tool permission. Keep the tool secure and ensure only authorized users have access to it.
   • A disclaimer must be written for the tool permission.